It’s not just Asus customers who should be concerned
Security specialist Kaspersky has discovered malware in the update system of Asus, a major computer hardware company. Referred to as SledgeHammer, the attack used a file disguised as a genuine Asus update, but which actually installed a malicious backdoor on users’ computers.
Pushed out to customers from a compromised server, the file was signed with Asus’s own digital signatures, making it appear to be a real update. It was only discovered after Kaspersky added new features to its security tools, designed to detect exactly this kind of hack. According to Kaspersky, the malware had been active for at least five months at this point, and had been sent to around half a million users.
Of course, inserting malicious code into seemingly legitimate software isn’t a new form of crime; Trojan horse attacks have been around for decades. What’s particularly notable is that the hackers managed to hijack the digital signing process – the very part of the system that is supposed to defend against fake updates being created.
The SledgeHammer attack also highlights a type of cyber crime that is perhaps less well-known than it should be: the supply chain attack. Perhaps more than anything, this is what businesses need to be aware of.
What Is A Supply Chain Attack?
Every stage of business, from raw materials, through to manufacturing, distribution and sales, involves technology in some form or another. That, unfortunately, means every link in the supply chain is a potential entry point for hackers.
Cyber criminals know this, and will identify weak spots in the chain, which they can then exploit. In many cases, this will mean injecting malicious code into software or firmware. Like SledgeHammer, this might be via an update system, but malware can be introduced even earlier than this, during the manufacturing stage.
And, of course, all businesses have relationships and connections with vendors and suppliers. Those, too, all represent potential vulnerabilities, where criminals can introduce malware. You can find examples of supply chain attacks on the National Cyber Security Centre website, including the Shylock trojan, which infected website-building companies to eventually make its way into their clients’ sites.
How To Protect Yourself From Supply Chain Attacks
It would be impossible to police every part of your supply chain, so the best you can do is to make sure your own defences are strong. Business is built on trust, but you shouldn’t assume your vendors, suppliers, partners and customers have adequate cyber security. In fact, it’s probably wise to assume that they don’t.
For your part, you need to make sure your software and hardware are all up to date, and that you have technology which scans all files on your network, whether they come from internal or external sources. While SledgeHammer demonstrates how this process can be hijacked by criminals, updates and patches are nevertheless a vital part of cyber security.
Finally, you should have an effective, reliable backup and disaster recovery solution, and that you have some kind of cyber insurance. If all else fails, you should at least be able to get your business back on track and minimise your losses.